===================================================================== CERT-Renater Note d'Information No. 2021/VULN605 _____________________________________________________________________ DATE : 12/11/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running jobfair for TYPO3 versions prior to 1.0.13, 2.0.2, "pixx.io integration for TYPO3 (DAM)" (pixxio) versions prior to 1.0.6, "Code Highlight" (codehighlight) versions prior to 2.7.0, "Google for Jobs" (google_for_jobs) versions prior to 1.5.1, 2.1.1. ===================================================================== https://typo3.org/security/advisory/typo3-ext-sa-2021-018 https://typo3.org/security/advisory/typo3-ext-sa-2021-017 https://typo3.org/security/advisory/typo3-ext-sa-2021-016 https://typo3.org/security/advisory/typo3-ext-sa-2021-015 _____________________________________________________________________ Wed. 10th November, 2021 TYPO3-EXT-SA-2021-018: Sensitive Data Exposure in extension "Job Fair" (jobfair) Categories: Development, Security Created by Torben Hansen It has been discovered that the extension "Job Fair" (jobfair) is susceptible to Sensitive Data Exposure. Release Date: November 10, 2021 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: "Job Fair" (jobfair) Vulnerability Type: Sensitive Data Exposure. Affected Versions: 1.0.12 and below, 2.0.0 - 2.0.1 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:U/RC:C References: CVE-2021-43564 Problem Description The extension fails to protect or obfuscate filenames of uploaded files. This allows unauthenticated users to download files with sensitive data by simply guessing the filename of uploaded files (e.g uploads/tx_jobfair/cv.pdf). Note, that the extension has been re-uploaded as version 2.0.0 including the same security vulnerability as announced in TYPO3-EXT-SA-2020-007. Solution Updated versions 1.0.13 and 2.0.2 are available from the TYPO3 extension manager, Packagist and at https://extensions.typo3.org/extension/download/jobfair/2.0.2/zip https://extensions.typo3.org/extension/download/jobfair/1.0.13/zip Users of the extension are advised to update the extension as soon as possible. Credits Thanks to Nikita Hovratov for providing an updated version of the extension. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. _____________________________________________________________________ Wed. 10th November, 2021 TYPO3-EXT-SA-2021-017: Multiple vulnerabilities in extension "pixx.io integration for TYPO3 (DAM)" (pixxio) Categories: Development, Security Created by Torben Hansen It has been discovered that the extension"pixx.io integration for TYPO3 (DAM)" (pixxio) is susceptible to Server-side request forgery, Remote Code Execution, Broken Access Control and vulnerable 3rd Party Components. Release Date: November 10, 2021 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: "pixx.io integration for TYPO3 (DAM)" (pixxio) Vulnerability Type: Server-side request forgery, Remote Code Execution, Broken Access Control and vulnerable 3rd Party Components. Affected Versions: 1.0.4 and below Severity: High Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:F/RL:O/RC:C References: CVE-2021-43562 and CVE-2021-43563 Problem Description The extension fails to restrict the image download to the configured pixx.io DAM URL resulting in Server-side request forgery. As a result of the Server-side request forgery vulnerability, an attacker can download various content from a remote location and save it to a user controlled filename which may result in Remote Code Execution. A TYPO3 backend user account is required to exploit both vulnerabilities. The Access Control in the bundled media browser is broken, which allows an unauthenticated attacker to perform requests to the pixx.io API for the configured API user. This allows an attacker to download various media files from the DAM system. Finally the extension bundles the 3rd Party Component jQuery 3.3.1 which contains known security vulnerabilities. Solution An updated version 1.0.6 is available from the TYPO3 extension manager and at https://extensions.typo3.org/extension/download/pixxio/1.0.6/zip Users of the extension are advised to update the extension as soon as possible. Credits Thanks to Andrey Basarygin, Andrey Guzei, Mikhail Khramenkov, Alexander Sidukov and Maxim Teplykh from Solar Security for reporting the SSRF issue, to Security Team Member Torben Hansen for finding the additional issues and to Christoph Trautbeck for providing an updated version of the extension. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. _____________________________________________________________________ Wed. 10th November, 2021 TYPO3-EXT-SA-2021-016: Denial of Service in extension "Code Highlight" (codehighlight) Categories: Development, Security Created by Torben Hansen It has been discovered that the extension "Code Highlight" (codehighlight) is susceptible to Denial of Service. Release Date: November 10, 2021 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: "Code Highlight" (codehighlight) Vulnerability Type: Denial of Service Affected Versions: 2.6.0 and below Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L/E:F/RL:O/RC:C References: N/A Problem Description The extension bundles a vulnerable version of the 3rd party JavaScript component “prism” which is known to be vulnerable against Regular expression Denial of Service (ReDoS). Solution An updated version 2.7.0 is available from the TYPO3 extension manager, Packagist and at https://extensions.typo3.org/extension/download/codehighlight/2.7.0/zip. Users of the extension are advised to update the extension as soon as possible. Credits Thanks to Chris Müller for reporting the issue and for providing an updated version of the extension. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. _____________________________________________________________________ Wed. 10th November, 2021 TYPO3-EXT-SA-2021-015: Cross-Site Scripting in extension "Google for Jobs" (google_for_jobs) Categories: Development, Security Created by Torben Hansen It has been discovered that the extension"Google for Jobs" (google_for_jobs) is susceptible to Cross-Site Scripting. Release Date: November 10, 2021 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Component: "Google for Jobs" (google_for_jobs) Vulnerability Type: Cross-Site Scripting Affected Versions: 1.5.0 and below, 2.0.0 - 2.1.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C References: CVE-2021-43561 Problem Description The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability. Note: Users of the extension, who have overwritten the default Fluid Partial Job/Properties.html, must manually remove all occurrences of f:format.raw in the affected partial. Solution Updated versions 1.5.1 and 2.1.1 are available from the TYPO3 extension manager, Packagist and at https://extensions.typo3.org/extension/download/google_for_jobs/2.1.1/zip https://extensions.typo3.org/extension/download/google_for_jobs/1.5.1/zip Users of the extension are advised to update the extension as soon as possible. Credits Thanks to Security Team Member Georg Ringer for reporting the issue and to Michael Kunst for providing an updated version of the extension. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================